I have ONE cable modem for the access to the Internet. The cable modem holds the public IP. The cable modem’s lan ip is 192.168.0.1 then gives addresses starting with 192.168.0.100 with DHCP to two connections:

1) I plug one ethernet cable from the cable modem into MKT ETH2 of the CCR1036. I did setup the ETH2 WAN connection, activate the ip client (192.168.0.100 with gateway 192.168.0.1) for ETH2, mark route as default route, add the 8.8.8.8 dns, add the nat masquerade for ETH2 out, add firewall to accept all inbound/outbound for ETH2 in/out. Plus the DHCP server for the connected LAN (192.168.60.0/24) at SFP2 (with IP 192.168.60.1). The connection to the internet is setup, and all works fine as per standard procedure for all the connected devices in the 192.168.60.0/24 local LAN.

2) I plug the another ethernet cable from the very same cable modem mentioned above into a Netgear R7000 with DD-WRT (192.168.0.101 assigned by the cable modem for the R7000) and I successfully establish an OpenVPN tunnel with the DD-WRT OpenVPN Client. The Netgear R7000 IP is 192.168.5.1 and the DHCP gives addresses from 192.168.5.100 (and the dns 8.8.8.. Now I connect with an ethernet cable from the R7000 to the MKT ETH4 WAN on the CCR1036. I did setup the ETH4 connection, activate the ip client (I get the 192.168.5.100 with gateway 192.168.5.1), add the nat masquerade for ETH4 out, add mangle (just for one device IP 192.168.60.5) pre-routing with routemark ‚OpenVPN’ (pass through yes), add firewall to accept all inbound/outbound for ETH4. For the route I add 0.0.0.0/24 manually for ETH4 with the route mark ‚OpenVPN’. It is the same connected Lan (192.168.60.0/24) after all. With just one client device (192.168.60.5) to go through this R7000 w/openvpn construct basically.

The issue is that the device (192.168.60.5) which goes out through ETH4 cannot connect to the internet! I cannot get any ping for 8.8.8.8 either. The internal local Lan access works fine, I can access the CCR1036 (192.168.60.1) or the R7000 (192.168.5.1) or the cable modem (192.168.0.1) via the webgui and ping them.

Please advise with any tips how I could establish the connection to the Internet via ETH4. Is this DNS related or the whole setup screwed up? Any smart routing I could do? Funnily enough if I remove the default route tick for ETH2 in the connections overview and do a manual/static IP Route Entry for 0.0.0.0/24 with ETH2, I lose the internet connection as well. So I don't fully get what the difference of a static vs. dynamic entry is in the routing table.. Let me know.

Starting point is that I need to use the openvpn (and do this with the R7000 with dd-wrt) for a device on the MKT LAN.

Please advise, any help greatly appreciated!

i think your problem is your route for route mark OpenVPN. 0.0.0.0/24 dosent make any sense. should be 0.0.0.0/0 and you need to add 192.168.5.1 gateway for that route with no interface selected for that route. router os will select interface based on gateway. like this:

/ip route add dst-address=0.0.0.0/0 gateway=192.168.5.1 routing-mark=OpenVPN

another thing i would suggest is to bridge your you cable modem and use your CCR1036 as core router

Very cool thanks for this. I started with your last suggestion to bridge the cable modem to really make the CR1036 the router. Works well as advertised.

Question is if you have a recommendation how I make use of the Netgear R7000 with DD-WRT with the CCR1036 so that I can build a proper OpenVPN Tunnel for some selected of the devices on the LAN to use? Please advise.

I am not very familiar with OpenVPN but i think you can make a tunnel directly from your CCR1036. There is another post explaining how to:

viewtopic.php?t=92546

then route traffic with connection mark through the tunnel
otherwise you can connect the wan of your R7000 to a port of CCR1036. Give it a an ip with dhcp then connect the lan of your R7000 to the mikrotik again and get an ip form R7000 with dhcp client then route traffic with connection mark through R7000. The first method is the best ofc because you will depend on the performance of the R7000 if you route traffic to it and many routes are not that good

Got it thanks! I have chosen to make use of the R7000 (basically to overcome the openvpn client shortcomings of the CCR) plugged into the CCR1036 as you describe and it works like a charm. Thank you!!